Unable to connect with router

Do you have your router doing Network Address Translation? If you do, then try using PIX 6.3 and configuring isakmp nat-traversal 20

Hello Psychogenic,

I think you have this kind of a network setup

+--------pix=======Tunnel=========Router lan | +----Router---------Internet To go through the tunnel your PC is using 'route add and the default gateway is router to go to the internet

This setup can be optimized + ---PIX========tunnel=========router lan-------Router| +----------------internet

For the above topology you need a static route entry in the router to point to pix if the user wants to go to the remote router through VPN tunnel. command will be (router) ip route

or lan----------Router-------PIX-----------internet +==============Tunnel

You do not need any configuration settings in PIX. In the router you only need the default router pointing to the PIX.

Let us know if that works

-Vikas

Thanks all for your replies.

Our setup is currently like this:

LAN ---- Router ---- PIX ------- Internet +================Tunnel

As you drew in your last example. The tunnel is set to connect the PIX public interface to the remote site's router. The default gateway being used by hte machines is pointing to the PIX private interface. So on the router I just need to add

ip route

Thanks again.

Hello, What kind of a router is that? Why do you have PIX inside interface as your dgw? Why cant the router interface be dgw? Is that a cisco router?

I would have configured it in this way:

lan---------fe0_Router_fe1---------in_PIX_out---dsl-----internet

fe0 = 192.168.1.1/24 lan=192.168.1.0/24 fe1=192.168.200.1/24 PIX_in=192.168.200.2/24 PIX_out=what ever dsl provides (dhcp in most of the cases).

PC will have router fe0 as the dgw (192.168.1.1) router will have dgw as PIX. ip route 0.0.0.0 0.0.0.0 192.168.200.2 PIX will have route route outside 0.0.0.0 0.0.0.0 interface outside (please check the command syntax) PIX will have other natting commands as well global (outside) 1 interface nat (inside) 1 0

This way you will be securing the complete lan with the fw. (I hope you own the fw)

I hope I am answering your question.

-Vikas

The router is a Yamaha router. There is no nat running since I'm using Cisco EasyVPN. I'll change the dgw of the machines to use the router instead.I'm not sure about this command:

route outside 0.0.0.0 0.0.0.0 interface outside

when i do route outside 0.0.0.0 0.0.0.0 ?

It asks me: The address of the gateway by which the foreign network is reached.

So I add in the public interface?

Thanks.

Hello,

This is the default route which will be there in the PIX.

Thanks, I can finally connect to the remote site when the router is put back in. However, now there's a new problem where I can't get to the internet now. If I bring down the vpn tunnel then internet seems to work fine. Can they not co-exist on the same interface?

You are using Easy VPN (which is not that easy btw). Internet and easy VPN can coexist only if the configuration allows it to coexist. The nat/path needs to be enabled by the server side by split tunnel or that can be converted to Network Mode. Nothing is in your PIX which can be changed.

You can disble the easy vpn client when you are accessing the internet.

Vikas

I am using network extension mode for easyvpn and preferably its something I do not want disabled.